Ask.com’s Privacy Tool Tracks Users, Groups Tell Feds — Updated

A coalition of privacy groups filed a federal complaint Saturday against Ask.com, alleging that AskEraser – the company’s recently unveiled search engine history anonymization tool – doesn’t actually protect users’ privacy and could be used to track people when they thought they were anonymous.

The groups, which include the Electronic Privacy Information Center, are asking the Federal Trade Commission to find that Ask.com is engaged in unfair trade practices by making false promises to users. The groups want the FTC to force the company to modify the program.

Specifically, the groups charge that even when the search anonymization tool is turned on, Ask.com’s advertising partners — which include Google — are able to see and store search terms and identifiers that tie a search to an individual.

Ask.com’s hoped its history erasing tool would make it the privacy leader for search engines, which have only reluctantly begun loosening their hold on user data as they face increasing scrutiny from government regulators around the world.

But the limitations of Ask’s privacy offering were immediately noticed by the press and privacy groups.

AskEraser, which can be turned on and off from Ask.com’s main screen, lets individuals tell the search engine to forget search queries and who made them. Search engines generally hang on to such data for more than a year in order to serve relevant ads and to try to make search results more personal.

Ask’s tool relies on a permanent cookie on a user’s computer that the company’s servers rely on to know when to delete search terms. The complaint alleges that Ask Eraser’s cookie requirement means that privacy-conscious users will have to turn off cookie blocking – a common, but brute force, way of ensuring online privacy.

Moreover, the groups argue that cookie includes a time stamp down to the second, which could be used as a unique identifier, according to the complaint (.pdf).

The use of the AskEraser opt-out cookie provides a Persistent Identifier that allows any government agency to whom Ask.com conveys the search query and the associated cookie, whether intentionally or by other mean, to track and monitor the user with the search query for as long as the user continues to use the AskEraser service.

The Center for Digital Democracy and Consumer Action, along with three other groups, also signed the complaint.

The groups first aired their concerns about the tool in a letter (.pdf) to Ask.com on December 20, and filed the complaint a month later since the company hadn’t made the requested changes, according to EPIC senior staff attorney Melissa Ngo.

Ask.com did not immediately return a call for comment.

UPDATED: Ask.com spokesman Nicholas Graham vehemently counters rejects EPIC’s complaint, arguing that Ask.com tried to work with the group to no avail:

EPIC’s weekend filing regarding AskEraser is both flawed and unfortunate. It’s unfortunate in the sense that Ask.com tried to engage in a constructive dialogue with the group last week, and was rebuffed. Privacy is an issue that demands collaboration and partnership between online companies and advocates, for the benefit of all consumers. Ask.com’s relationship with the Center for Democracy & Technology is proof-positive of that.

EPIC’s filing is flawed in the sense that the document they filed is factually inaccurate, and simply shows a fundamental misunderstanding of the functionality of our product. In addition, many of the issues they raise are outdated, while others are completely misguided from the outset, and others deal with changes that Ask.com already made to AskEraser weeks ago, and were subsequently posted publicly on our website.

It’s a shame that the industry’s first-ever privacy tool for consumers – widely acclaimed by industry experts and users alike – would be the subject of such a meritless action. It’s a move that sends a chilling message and has an adversarial effect to companies in the online space who would like to innovate on privacy to benefit users, but who might think twice based on wrongful and intimidating steps such as those taken by EPIC.

EPIC’s director Marc Rotenberg version of the story is different:

[T]he short version is that Ask wrote to us and proposed to talk last Friday. We gave them two different times and they ended up canceling on us. What a joke. […]

We have an excellent complaint and I hope the FTC shuts this company down.

UPDATED AGAIN:

The Center for Democracy and Technology on Wednesday asked the FTC to dismiss EPIC’s complaint, arguing that that Ask.com removed the time stamp from the cookies on January 1 and that EPIC should have known this before filing the complaint.

While dismissing the privacy groups’ petition, the Commission can also bolster the position of companies that step forward to provide their customers with new privacy-enhancing tools. Such companies, CDT believes, should be applauded for their vision, not condemned for their efforts; to do otherwise runs the risk of stifling innovation at a time when new and creative privacy tools are sorely needed.

CDT, which has long clashed with EPIC over tactics and philosophy, worked with Ask.com in the development of AskEraser. After that cooperation started, Ask.com joined CDT’s working group, making Ask a financial supporter of CDT, according to the letter (.pdf).